The low hanging fruit of HIPAA enforcement: OCR deputy director discusses

In the changing digital health era, Timothy Noonan, deputy director for Health Information Privacy at the HHS Office for Civil Rights, is constantly reviewing HIPAA and privacy standards to ensure patient information is safe and in the right hands.

Previously, Mr. Noonan served in the OCR headquarters as the acting associate deputy director for operations and the acting director of OCR's centralized case management operations. He spent years as a supervisory general attorney for the U.S. Department of Education before joining the OCR.

Below, Mr. Noonan discusses misconceptions about HIPAA as well as how big tech companies, such as Google, are affecting patient information regulations. 

Editor's note: Responses have been lightly edited for clarity and length. 

Question: How is HHS/OCR addressing patient concerns with the Google and Ascension Project Nightingale?

Timothy Noonan: Generally, OCR does not comment on open or potential investigations. The OCR previously stated that we are interested in learning more about this mass collection of individuals' medical records. The use of big data to develop technology, such as artificial intelligence, to improve healthcare outcomes is an exciting prospect and could be one of the great medical achievements of this century. Progress towards this goal should not come at the expense of individuals' privacy and security rights. The HIPAA Rules support technology and innovation. When patients have full confidence in the privacy and security of their health information, they are more likely to share information with their providers that can lead to better health outcomes and further advances in treatment options. 

Q: Does HIPAA need an update? Or even an overhaul?

TN: The HIPAA Rules have been very successful in creating clarity with regard to individuals' rights and the regulated industry's obligations with regard to the privacy and security of health information. However, we believe it is important to revisit the HIPAA Rules periodically and consider modifications to respond to changes within the industry. OCR published a request for information in December 2018 to receive feedback from the public on potential HIPAA updates. We asked about the timeframe for responding to individuals' right of access requests, and whether it should be shortened. We asked about the sharing of medical information with family members and caregivers, and whether aspects of the existing permission could be improved. We also asked about whether there were any compliance burdens within the existing rules that may not promote the privacy and security of health information, such as the requirement for a provider to obtain an individual's signed acknowledgment of receipt of the Notice of Privacy Practices and the requirement to document the efforts to obtain the individual’s signature.  

We are currently working on proposed modifications to the HIPAA Privacy Rule that we believe will improve information sharing and coordinated, value-based healthcare, while also reducing regulatory burdens.  

Q: Do you see any "low hanging fruit" when it comes to HIPAA enforcement?

TN: OCR's HIPAA Enforcement program has noted recurring patterns of noncompliance within the regulated industry. That was the impetus for launching the Right of Access Initiative last year. OCR has provided rule-making, guidance, technical assistance and training on the HIPAA Right of Access, and yet it continues to be a major source for OCR complaints and frustration for the public. Everyone either knows someone or has their own story about difficulties faced when trying to obtain copies of medical records. 

OCR launched the Right of Access Initiative to address this continuing problem within the industry. Examples of obvious Right of Access compliance failures include not providing an individual with their records within 30 days; charging more than the allowable reasonable, cost-based fee; and not providing the medical records in the form and format requested when readily producible. 

 Q: How is the OCR responding to a federal judge's ruling that sections of HIPAA that were designed to facilitate cheaper access to patients' medical records are not permissible under the Administrative Procedure Act?

TN: The Federal District Court's decision did not affect an individual's right to get a copy of their health records, for a reasonable cost-based fee, and in the form and format they requested if readily producible. The court's decision only affected the ability of an individual to use the HIPAA Right of Access to have their health records sent to a third party.  

The practical effect of the decision is that if an individual wants to use the HIPAA Right of Access to have their health records sent to a third party, it can only be from an electronic health record, in an electronic format and the fee limitations do not apply. OCR will continue to vigorously enforce an individual's right to access their health records through our Right of Access Initiative. 

Q: What is one misconception or misunderstanding about HIPAA?

TN: A misconception that I would like to see changed is when following a traumatic event, such as an opioid overdose, we hear stories that medical information wasn't shared with family members before the incident because "HIPAA doesn't allow it." The HIPAA Privacy Rule has specific permissions that permit the sharing of an individual's health information without their authorization.  

First, when there is an emergency or an individual is incapacitated, relevant health information about that individual can be shared with persons that are involved in that individual's healthcare, such as family members, friends, or other loved ones, when it's in the individual's best interests. This permission can be used when a patient is incapacitated due to a mental health condition or substance use disorder, such as in cases of opioid overdose.  

Second, health information may be shared to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. This health information can be shared with law enforcement, family, friends, or others who are in a position to lessen or prevent the threatened harm. OCR's website has fact sheets and FAQs on these permissions along with hypotheticals to show how HIPAA is not a barrier to sharing information to protect individuals and the public.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars